NIST releases final cybersecurity recommendations

Ron Ross

The National Institute of Standards and Technology (NIST) has released its final report on cybersecurity recommendations for the federal government.

NIST teamed up with DoD and other agencies in the Intelligence Community (IC) to find common security solutions for agencies and contractors.

While conducting their work, officials identified solutions for securing cyber networks, but also examined new threats related to IT -- and the country's overall infrastructure -- that didn't exist years ago.

Ron Ross is with NIST's computer security division and worked on the project and explained more during Thursday's Daily Debrief.

"We call this document an historic document in the sense that we've been working for the last couple of years with our counterparts over in the Intelligence Community, through the Office of the Director of National Intelligence and the Defense Department, to try to look at the various sets of security controls that were being used by the three communities of interest, to include the civil side that NIST represents. It turns out that, for the vast majority of controls that were used in all three communities, we had a lot of overlap. There was a lot of commonality amongst what we were doing."

Ross said this realization enabled the researchers to develop a catalogue based on a foundation created by NIST. Those on the project added controls specific to the IC and DoD.

NIST does not mandate the additional controls for national security; rather, Ross said, the specific controls are in the catalogue and can be used by any community that wants additional security.

"In the [IC] and [DoD], the committee on National Security Systems (CNSS) is working on a companion publication that will point to the control catalogue . . . and then [any community] can pick whatever controls they want out of the catalogue they feel are appropriate, and mandate those controls for their particular communities of interest. So it's really the best of all worlds."

Ross said NIST, the IC and DoD all take advantage of each other in order to make sure the best controls are developed for a world-wide customer base.

"The vast majority of the controls, whether they're management, operational or technical in nature, are common to the entire federal community. Where we tend to diverge would be in the cryptography areas. The national security systems may require a stronger grade or higher cryptography. The personnel security in the DoD and [IC] tend to have higher security clearances . . . and the physical security tends to be a little bit stronger around those facilities that have national security systems. But, if you take out those three areas, almost everything else we have pretty much in common with the other communities."

Ross said, overall, this most recent document doesn't contain many surprises, though new challenges appeared when compared to years ago.

In addition, many security fundamentals are reiterated, though they have been updated for today's modern, more complex systems.

"Literally we have millions of lines of code in the operating systems, the middleware, the applications -- all riding on a bed of integrated circuits. It's an extremely complicated undertaking. It's always very difficult to figure out where to apply the appropriate security controls, the number of controls, the rigor, the assurance level of those controls, how good those controls are -- [it is] very difficult in an environment where you have this type of complexity. Also, everything is connected to everything else today."

That environment of connectivity, whether it be between agencies, agencies and state and local governments, or agencies and the private sector, presents its own set of challenges, as well.

"There were no real surprises. The attacks continue to get better and better. You can download very sophisticated attack tools from the Internet now and you can launch those attacks with very low cost laptop computers. So, the attack potential is there and there's lots of smart people out there who are continuing to try and figure out how to break into the systems. Our job on the defensive side is to try and anticipate those types of attacks and close them down as soon as we can."

Ross added that another, more intangible challenge was identified.

"Our increasing independence on information technology. . . . This dependence on the technology and the ability the adversaries to attack specific places in the system give us great concern -- especially in things like critical infrastructure, where you have electric power grids, water distribution systems, first responders that are depending on this technology for their mission and business success. We worry not only about the attacks bringing down significant portions of the infrastructure, we also worry about the opposite extreme -- where the adversaries will implant malicious code into the systems, fully intending to keep those systems operational, but exfiltrating critical data out the back end."